Duplicate » admin by request

Guarding Health Data: Lessons from the Ascension Cyber Attack

Graphic of the back of a hacker in a hoodie touching points on a screen

In May 2024, a big hack hit Ascension, a major player in the healthcare industry, and compromised electronic health records (EHR) and other systems across multiple states. This is a big reminder that healthcare needs robust cybersecurity, where patient data is the most sensitive.

The Ascension Ransomware Hack: A Case Study

In May 2024, Ascension, one of the largest health systems in the US, got hit with a ransomware attack. EHR and other systems were down across multiple states, patient care and operations were impacted, but Ascension’s facilities remain open. Nathan Eddy, a graduate of Northwestern University’s Medill School, talks cybersecurity in healthcare, bringing his IT security and journalism expertise to the table.

Ascension used downtime procedures to keep patient care going during the outage, such as using paper records for clinical care and downtime procedures to ensure patient safety and protect patients’ sensitive information.

The hack started with an employee downloading a malicious file. That allowed the attackers to get into the network. The ransomware spread quickly, locked down several file servers and potentially patient data. Ascension was hit with operational disruptions, including not being able to process credit card transactions at its pharmacies and delayed prescription refills.

Emergency medical services were diverted as hospitals were experiencing system disruptions and had to prioritize patient safety.

Ascension restored EHR access in many areas and is offering credit monitoring and identity theft protection to those affected. While it wasn’t explicitly confirmed how far laterally the attackers moved in the network, the complexity of the attack suggests they likely did. Ascension is still working to restore systems like MyChart, so there are still operational challenges and recovery needs. They’re committed to getting systems back and managing the aftermath of the hack.

Electronic Health Record Vulnerabilities

Health systems’ IT infrastructures are full of holes, making them a target rich environment for hackers. Common weaknesses include outdated software, no encryption, no access controls, and no staff training, all of which put sensitive information at risk. In the Ascension case, the hackers exploited these weaknesses to get in and escalate privileges in the network.

Outdated Software

Many health systems run legacy software that’s no longer supported or updated, so they’re vulnerable to known exploits. In the Ascension hack, it’s believed outdated operating systems and applications were a big factor. These systems didn’t have the patches to defend against the latest threats, so the attackers had an easy way in.

No Encryption of Sensitive Patient Data

Sensitive patient data on healthcare networks is often not encrypted. Once an attacker gets in, they can easily access and exfiltrate data. In the Ascension case, some of the files accessed were not encrypted so the hackers could read and potentially misuse sensitive data.

No Access Controls

Healthcare organizations often have no access controls, which means once an attacker gets in, they can move laterally across the network with ease. In the Ascension breach, the lack of segmentation of network privileges allowed the hackers to escalate their access and compromise more systems. Proper access controls, like limiting user permissions and role-based access, would have mitigated this risk.

No Staff Training

Human error is a major vulnerability in cybersecurity. Healthcare staff often don’t have enough training to recognize phishing emails and other social engineering tactics. In the Ascension case, it’s believed phishing emails were used to trick employees into downloading malware. Better training programs focused on cybersecurity awareness would have prevented this breach by reducing the success of phishing attacks.

Privileged Access Management (PAM)

Privileged Access Management (PAM) is a key component of any cybersecurity strategy, especially in healthcare. PAM solutions manage and monitor privileged accounts so only authorized people have access to sensitive data and systems. By controlling and auditing access, PAM can prevent unauthorized activity and reduce the risk of breaches. For example, PAM could have stopped the attackers from moving laterally in Ascension’s network and limited the damage.

Cybersecurity in Healthcare Organizations and Providers

To protect healthcare data, organizations must do cybersecurity. Best practices include software updates, robust encryption, multi-factor authentication and continuous staff training on cybersecurity awareness. Plus regular security audits and penetration testing to identify and remediate vulnerabilities. Follow the relevant regulatory guidelines to comply and protect patient data during a breach.

Healthcare organizations must also be ready to respond to a breach. That means having an incident response plan in place and communicating with the affected parties in a timely manner. Follow the relevant regulations to maintain operational transparency and protect patient data after a breach.

Admin By Request: The Whole Solution

Admin By Request offers a layered approach to cybersecurity to protect both SMBs and enterprises from advanced cyber threats. Our PAM solution addresses the vulnerabilities in the Ascension case by providing fine-grained access controls, real-time monitoring, and automated approval workflows, while also utilizing downtime procedures to maintain operations during incidents. With Admin By Request, healthcare organizations can strengthen their security, comply with regulations, and protect sensitive patient data.

Conclusion

The Ascension breach is a wake-up call to the importance of cybersecurity in healthcare. By knowing the common vulnerabilities and doing something about it, healthcare providers can protect their data and patient trust. Human services play a big role in bolstering cybersecurity measures as ransomware attacks disrupt healthcare operations and put sensitive patient data at risk. Admin By Request is here to support these efforts with a PAM solution that secures and reduces the risk of future attacks.

Nathan Eddy is a graduate of Northwestern University’s Medill School. This article was informed by credible IT security reporting.

Sources:

https://www.bleepingcomputer.com/news/security/ascension-hacked-after-employee-downloaded-malicious-file/https://www.bridgemi.com/michigan-health-watch/ascension-owner-15-michigan-hospitals-confirms-cyberattack-was-ransomware

About the Author:

Picture of S Dodson

S Dodson

With a solid background in computer science and graphic design, my career kicked off writing tech manuals for various companies in both the software and hardware realms. I then side-stepped into marketing and found my passion in cybersecurity. I fuse my tech know-how with design skills to craft engaging blogs that spotlight cybersecurity for businesses. My main focus now is championing the marketing efforts of Admin By Request Zero Trust Platform, where my creative take on cybersecurity helps me create content that's enlightening, entertaining, and impactful. My articles have graced the pages of InfoSec Magazine and top-tier security websites like OPSWAT. I'm on a mission to stress the significance of cybersecurity and to showcase how Admin By Request is shaking things up by making enterprise solutions simple, intuitive, accessible, and affordable to organizations of all sizes, in any industry. My goal is to craft content that informs, intrigues, and motivates action, helping businesses understand the pivotal role of cybersecurity in the digital age we're now living in. Through my work, I aim to close the gap between technology and its real-world applications, keeping our audience well-informed, interested, and ready for the ever-evolving cybersecurity landscape. I bring a blend of extensive experience, deep expertise, recognized authority, and unwavering commitment to trustworthiness in cybersecurity. My goal? To make complex topics relatable and actionable for businesses of all sizes - just like Admin By Request strives to do.

Get the Admin By Request Free Plan

Fill out the form with your work email and we’ll send your credentials to your inbox.

Book a Demo

Orange admin by request circle tick logo. » admin by request